UIC, represented by Mr José Pires (Senior Advisor of the UIC Security Division), attended the EU Cybersecurity Strategy – High Level Conference in Brussels on 28 February 2014.

In front of an audience of nearly 400 participants, the conference presented the progress of the EU Cybersecurity strategy (EU Cyber security Strategy (JOIN(2013)final) in the first year after its adoption. It provided information on the state of play of the implementation of the five main priorities of the Strategy and showcased highlights of the main actions in the Strategy.

The conference also represented an opportunity to explore the way forward regarding the Commission proposal for a Directive laying down measures to ensure a high level of network and information security across the Union and the next steps to foster trust in the public and private sector for the benefit of citizens and the Digital Single Market.

In the opening speech Mrs Neelie Kroes, Vice-President of the European Commission responsible for the Digital Agenda, addressed the relevance of the topic by saying, “Digital technologies are changing our world!”

It is a fact that often people and business do not realise that the state of play of “things” change every day. Contrary to the beginning of the industrial revolution where “things” took time to become stable and integrated in the society, today “things” immediately take place and we can see the differences happening (almost daily) from cars to classrooms; from payments to power stations, etc.

No doubt that this offers huge opportunities for citizens, the society and the economy, and they are significant. The Internet economy generates over one fifth of our growth; 200 million Europeans buy online each year.

But “like any new advance, these opportunities can be misused. We have the technological ability to do immense, unprecedented things. Many of those things are positive; some are damaging. And increasing reliance means increasing vulnerability,” said Mrs Neelie Kroes. And that is the main reason to involve many people from many sectors where all can better realise the opportunities, understand the vulnerabilities and provide a secure space for digital technology use.

Mrs Neelie Kroes concluded by stating that “the Cyber Security Strategy is providing us with the right building blocks, but there is important work still to be done. A strong Directive is a European competitive advantage. A weak one or none at all, would be proof that democracy can’t manage technology.”

EU Cybersecurity Strategy state of play

In brief the Strategy is accompanied by the technical legislative proposal by the European Commission’s Directorate General Connect to strengthen the security of information systems in the EU. This will encourage economic growth as people’s confidence in buying things online and using the Internet will be strengthened. The Strategy is offering clear priorities for the EU international cyberspace policy:

• Freedom and openness: The strategy will outline the vision and principles on applying the EU core values and fundamental rights in cyberspace.
• The laws, norms and EU’s core values apply as much in the cyberspace as in the physical world: The responsibility for a more secure cyberspace lies with all players of the global information society, from citizens to governments.
• Developing cyber security capacity building: The EU will engage with international partners and organisations, the private sector and civil society to support global capacity building in third countries. It will include improving access to information and to an open Internet, and preventing cyber threats.
• Fostering international cooperation in cyberspace issues: To preserve open, free and secure cyberspace is a global challenge, which the EU will address together with the relevant international partners and organisations, the private sector and civil society.
• It is therefore urgent to put in place these actions because unfortunately, the amount of cyber incidents increases every day, estimations are indicating that at least one million people become victims of cybercrimes daily. This obviously influences the reliance of the Internet and constrains us in our digital lives. At the same time it is devastating for the economy.

Cybersecurity and the Rail Sector

Also within the scope of the rapid railways technology developments there is an urgent need to set and implement strategies to manage the risk of cyber attacks against rail organisations. Those will have to be fully aligned with the rail companies’ business plans and the member states EU Cybersecurity Strategy implementation plan.

Some rail companies in Europe are already addressing it. Network Rail published its Cyber Security Strategy (Cyber Security Strategy - Network Rail) in September 2013. For the UK rail network infrastructure manager it is clear that “As a provider of critical national infrastructure, we may be targeted by groups with political or ideological differences to the UK at large, in addition to attacks from amateur hackers, organised criminals, industrial spies, or disgruntled employees. All of these to one degree or another may have the motivation and an increasing technical capability to exploit vulnerable systems.”

Railways as well as many other critical sectors are realising that the cyber security threats to business operations is a growing concern; not just to governments, private enterprises and other commercial organisations.

Setting basic principles (These Principles are general and have as a base the ones described in the Cyber Security Strategy - Network Rail) will help to develop and put in place a Cybersecurity strategy but keeping in mind a comprehensive policy framework ensuring citizens’ trust and online privacy. Those can be developed in order to create the ability to detect and respond to threatening cyber activity; to develop and maintain a detailed understanding of our risk exposure to inform cyber defence and business change activities; seeking to manage rather than avoid all risk so that people can continue to benefit from opportunities in cyberspace, etc.

A wider analysis by the rail operating community discussion regarding the ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace’, that the European Commission (EC) adopted in February 2013 is needed.
The proposal for a ‘Directive concerning measures to ensure a high common level of network and information security across the Union’ (COM(2013)048) has the goal to be increasingly prepared to handle incidents and improve their cooperation with each other, and by requiring, inter alia, operators of critical infrastructure (e.g. transport) and adopt appropriate steps to manage security risks and report serious incidents to the national authorities.

Still and as recently reported by CER about the outcome of the vote that the Internal Market and Consumer Protection (IMCO) Committee of the European Parliament held on the Commission’s proposal for the so called NIS Directive was positive for our sector. The CER position paper addressed the rail sector concern toward the legislative proposal but the overall concerns raised were considered and that led to better address:

• Level of criticality of market operators:
• Treatment of confidential data:
• Involvement of market operators:
• Publicity of incidents

In such a complex matter a collaborative effort is needed to develop a rail comprehensive protection strategy that can introduce coherent and sustainable measures to cope with the current and future Cybersecurity threats.
EU Cybersecurity Strategy – High Level Conference next steps
With regard to with the policy and EU state of play the next few months will be crucial for this Directive. The EU commission will be working closely with the Parliament and Member States to adopt it by the end of this year.
The general feeling was that the Cyber Security Strategy is providing all with the right building blocks, but there is still important work to be done.
In the words of Mrs Neelie Kroes “a strong Directive is a European competitive advantage. A weak one or none at all, would be a proof that democracy can’t manage technology.”